#483. Output escaping for HTML.

README.md

@@ -24,7 +24,7 @@ Read more about PHPWord:
 
 ## Features
 
-With PHPWord, you can create DOCX, ODT, or RTF documents dynamically using your PHP 5.3+ scripts. Below are some of the things that you can do with PHPWord library:
+With PHPWord, you can create OOXML, ODF, or RTF documents dynamically using your PHP 5.3.3+ scripts. Below are some of the things that you can do with PHPWord library:
 
 - Set document properties, e.g. title, subject, and creator.
 - Create document sections with different settings, e.g. portrait/landscape, page size, and page numbering
@@ -52,12 +52,14 @@ With PHPWord, you can create DOCX, ODT, or RTF documents dynamically using your
 
 PHPWord requires the following:
 
-- PHP 5.3+
+- PHP 5.3.3+
 - [XML Parser extension](http:https://www.php.net/manual/en/xml.installation.php)
+- [Zend\Escaper component](http:https://framework.zend.com/manual/current/en/modules/zend.escaper.introduction.html)
+- Zend\Stdlib component
 - [Zend\Validator component](http:https://framework.zend.com/manual/current/en/modules/zend.validator.html)
-- [Zip extension](http:https://php.net/manual/en/book.zip.php) (optional, used to write DOCX and ODT)
+- [Zip extension](http:https://php.net/manual/en/book.zip.php) (optional, used to write OOXML and ODF)
 - [GD extension](http:https://php.net/manual/en/book.image.php) (optional, used to add images)
-- [XMLWriter extension](http:https://php.net/manual/en/book.xmlwriter.php) (optional, used to write DOCX and ODT)
+- [XMLWriter extension](http:https://php.net/manual/en/book.xmlwriter.php) (optional, used to write OOXML and ODF)
 - [XSL extension](http:https://php.net/manual/en/book.xsl.php) (optional, used to apply XSL style sheet to template )
 - [dompdf library](https://github.com/dompdf/dompdf) (optional, used to write PDF)
 
@@ -149,7 +151,6 @@ $objWriter->save('helloWorld.html');
 /* Note: we skip RTF, because it's not XML-based and requires a different example. */
 /* Note: we skip PDF, because "HTML-to-PDF" approach is used to create PDF documents. */
 ```
-:warning: Escape any string you pass to HTML document, otherwise it may get broken.
 
 More examples are provided in the [samples folder](samples/). You can also read the [Developers' Documentation](http:https://phpword.readthedocs.org/) and the [API Documentation](http:https://phpoffice.github.io/PHPWord/docs/master/) for more detail.
 

composer.json

@@ -1,10 +1,10 @@
 {
  "name": "phpoffice/phpword",
- "description": "PHPWord - A pure PHP library for reading and writing word processing documents (DOCX, ODT, RTF, HTML, PDF)",
+ "description": "PHPWord - A pure PHP library for reading and writing word processing documents (OOXML, ODF, RTF, HTML, PDF)",
  "keywords": [
- "PHP", "PhpOffice", "office", "PhpWord", "word", "template", "template processor", "reader", "writer",
+ "PHP", "PHPOffice", "office", "PHPWord", "word", "template", "template processor", "reader", "writer",
  "docx", "OOXML", "OpenXML", "Office Open XML", "ISO IEC 29500", "WordprocessingML",
- "RTF", "Rich Text Format", "doc", "odt", "OpenDocument", "PDF", "HTML"
+ "RTF", "Rich Text Format", "doc", "odt", "ODF", "OpenDocument", "PDF", "HTML"
  ],
  "homepage": "http:https://phpoffice.github.io",
  "type": "library",
@@ -34,8 +34,9 @@
  "require": {
  "php": ">=5.3.3",
  "ext-xml": "*",
- "zendframework/zend-stdlib": "~2.5",
- "zendframework/zend-validator": "2.5.*",
+ "zendframework/zend-escaper": "2.4.*",
+ "zendframework/zend-stdlib": "2.4.*",
+ "zendframework/zend-validator": "2.4.*",
  "phpoffice/common": "0.2.*"
  },
  "require-dev": {
@@ -46,15 +47,12 @@
  "phploc/phploc": "2.*",
  "dompdf/dompdf":"0.6.*",
  "tecnickcom/tcpdf": "6.*",
- "mpdf/mpdf": "5.*",
- "zendframework/zend-stdlib": "~2.5",
- "zendframework/zend-validator": "2.5.*",
- "phpoffice/common": "0.2.*"
+ "mpdf/mpdf": "5.*"
  },
  "suggest": {
- "ext-zip": "Allows writing DOCX and ODT",
+ "ext-zip": "Allows writing OOXML and ODF",
  "ext-gd2": "Allows adding images",
- "ext-xmlwriter": "Allows writing DOCX and ODT",
+ "ext-xmlwriter": "Allows writing OOXML and ODF",
  "ext-xsl": "Allows applying XSL style sheet to main document part of OOXML template",
  "dompdf/dompdf": "Allows writing PDF"
  },

docs/installing.rst

@@ -8,8 +8,10 @@ Requirements
 
 Mandatory:
 
-- PHP 5.3+
+- PHP 5.3.3+
 - `XML Parser <http:https://www.php.net/manual/en/xml.installation.php>`__ extension
+- `Zend\\Escaper <http:https://framework.zend.com/manual/current/en/modules/zend.escaper.introduction.html>`__ component
+- Zend\\Stdlib component
 - `Zend\\Validator <http:https://framework.zend.com/manual/current/en/modules/zend.validator.html>`__ component
 
 Optional:

docs/intro.rst

@@ -63,7 +63,7 @@ Writers
 ~~~~~~~
 
 +---------------------------+----------------------+--------+-------+-------+--------+-------+
-| Features | | DOCX | ODT | RTF | HTML | PDF |
+| Features | | OOXML | ODF | RTF | HTML | PDF |
 +===========================+======================+========+=======+=======+========+=======+
 | **Document Properties** | Standard | ✓ | ✓ | ✓ | ✓ | ✓ |
 +---------------------------+----------------------+--------+-------+-------+--------+-------+
@@ -122,7 +122,7 @@ Readers
 ~~~~~~~
 
 +---------------------------+----------------------+--------+-------+-------+-------+-------+
-| Features | | DOCX | DOC | ODT | RTF | HTML |
+| Features | | OOXML | DOC | ODF | RTF | HTML |
 +===========================+======================+========+=======+=======+=======+=======+
 | **Document Properties** | Standard | ✓ | | | | |
 +---------------------------+----------------------+--------+-------+-------+-------+-------+

src/PhpWord/Writer/HTML/Element/AbstractElement.php

@@ -19,6 +19,7 @@
 
 use PhpOffice\PhpWord\Element\AbstractElement as Element;
 use PhpOffice\PhpWord\Writer\AbstractWriter;
+use Zend\Escaper\Escaper;
 
 /**
  * Abstract HTML element writer
@@ -48,6 +49,11 @@ abstract class AbstractElement
  */
  protected $withoutP = false;
 
+ /**
+ * @var \Zend\Escaper\Escaper
+ */
+ protected $escaper;
+
  /**
  * Write element
  */
@@ -65,6 +71,7 @@ public function __construct(AbstractWriter $parentWriter, Element $element, $wit
  $this->parentWriter = $parentWriter;
  $this->element = $element;
  $this->withoutP = $withoutP;
+ $this->escaper = new Escaper();
  }
 
  /**

src/PhpWord/Writer/HTML/Element/Link.php

@@ -16,6 +16,7 @@
  */
 
 namespace PhpOffice\PhpWord\Writer\HTML\Element;
+use PhpOffice\PhpWord\Settings;
 
 /**
  * Link element HTML writer
@@ -37,7 +38,11 @@ public function write()
 
  $content = '';
  $content .= $this->writeOpening();
- $content .= "<a href=\"{$this->element->getSource()}\">{$this->element->getText()}</a>";
+ if (Settings::isOutputEscapingEnabled()) {
+ $content .= "<a href=\"{$this->escaper->escapeHtmlAttr($this->element->getSource())}\">{$this->escaper->escapeHtml($this->element->getText())}</a>";
+ } else {
+ $content .= "<a href=\"{$this->element->getSource()}\">{$this->element->getText()}</a>";
+ }
  $content .= $this->writeClosing();
 
  return $content;

src/PhpWord/Writer/HTML/Element/ListItem.php

@@ -16,6 +16,7 @@
  */
 
 namespace PhpOffice\PhpWord\Writer\HTML\Element;
+use PhpOffice\PhpWord\Settings;
 
 /**
  * ListItem element HTML writer
@@ -35,8 +36,11 @@ public function write()
  return '';
  }
 
- $text = $this->element->getTextObject()->getText();
- $content = '<p>' . $text . '</p>' . PHP_EOL;
+ if (Settings::isOutputEscapingEnabled()) {
+ $content = '<p>' . $this->escaper->escapeHtml($this->element->getTextObject()->getText()) . '</p>' . PHP_EOL;
+ } else {
+ $content = '<p>' . $this->element->getTextObject()->getText() . '</p>' . PHP_EOL;
+ }
 
  return $content;
  }

src/PhpWord/Writer/HTML/Element/Text.php

@@ -17,6 +17,7 @@
 
 namespace PhpOffice\PhpWord\Writer\HTML\Element;
 
+use PhpOffice\PhpWord\Settings;
 use PhpOffice\PhpWord\Style\Font;
 use PhpOffice\PhpWord\Style\Paragraph;
 use PhpOffice\PhpWord\Writer\HTML\Style\Font as FontStyleWriter;
@@ -72,7 +73,11 @@ public function write()
  $content .= $this->writeOpening();
  $content .= $this->openingText;
  $content .= $this->openingTags;
- $content .= $element->getText();
+ if (Settings::isOutputEscapingEnabled()) {
+ $content .= $this->escaper->escapeHtml($element->getText());
+ } else {
+ $content .= $element->getText();
+ }
  $content .= $this->closingTags;
  $content .= $this->closingText;
  $content .= $this->writeClosing();
@@ -130,7 +135,12 @@ protected function writeClosing()
  {
  $content = '';
  if (!$this->withoutP) {
- $content .= $this->closingText;
+ if (Settings::isOutputEscapingEnabled()) {
+ $content .= $this->escaper->escapeHtml($this->closingText);
+ } else {
+ $content .= $this->closingText;
+ }
+
  $content .= "</p>" . PHP_EOL;
  }
 

src/PhpWord/Writer/HTML/Element/Title.php

@@ -16,6 +16,7 @@
  */
 
 namespace PhpOffice\PhpWord\Writer\HTML\Element;
+use PhpOffice\PhpWord\Settings;
 
 /**
  * TextRun element HTML writer
@@ -36,7 +37,11 @@ public function write()
  }
 
  $tag = 'h' . $this->element->getDepth();
- $text = $this->element->getText();
+ if (Settings::isOutputEscapingEnabled()) {
+ $text = $this->escaper->escapeHtml($this->element->getText());
+ } else {
+ $text = $this->element->getText();
+ }
  $content = "<{$tag}>{$text}</{$tag}>" . PHP_EOL;
 
  return $content;

src/PhpWord/Writer/HTML/Part/AbstractPart.php

@@ -19,6 +19,7 @@
 
 use PhpOffice\PhpWord\Exception\Exception;
 use PhpOffice\PhpWord\Writer\AbstractWriter;
+use Zend\Escaper\Escaper;
 
 /**
  * Abstract HTML part writer
@@ -34,6 +35,16 @@ abstract class AbstractPart
  */
  private $parentWriter;
 
+ /**
+ * @var \Zend\Escaper\Escaper
+ */
+ protected $escaper;
+
+ public function __construct()
+ {
+ $this->escaper = new Escaper();
+ }
+
  /**
  * Write part
  *

src/PhpWord/Writer/HTML/Part/Head.php

@@ -41,14 +41,14 @@ public function write()
  {
  $docProps = $this->getParentWriter()->getPhpWord()->getDocInfo();
  $propertiesMapping = array(
- 'creator' => 'author',
- 'title' => '',
+ 'creator'  => 'author',
+ 'title'  => '',
  'description' => '',
- 'subject' => '',
- 'keywords' => '',
- 'category' => '',
- 'company' => '',
- 'manager' => ''
+ 'subject'  => '',
+ 'keywords'  => '',
+ 'category'  => '',
+ 'company'  => '',
+ 'manager'  => ''
  );
  $title = $docProps->getTitle();
  $title = ($title != '') ? $title : 'PHPWord';
@@ -62,8 +62,9 @@ public function write()
  $value = ($value == '') ? $key : $value;
  $method = "get" . $key;
  if ($docProps->$method() != '') {
- $content .= '<meta name="' . $value . '" content="' .
- $docProps->$method() . '" />' . PHP_EOL;
+ $content .= '<meta name="' . $value . '"'
+ . ' content="' . (Settings::isOutputEscapingEnabled() ? $this->escaper->escapeHtmlAttr($docProps->$method()) : $docProps->$method()) . '"'
+ .' />' . PHP_EOL;
  }
  }
  $content .= $this->writeStyles();

src/PhpWord/Writer/HTML/Style/Paragraph.php

@@ -17,6 +17,8 @@
 
 namespace PhpOffice\PhpWord\Writer\HTML\Style;
 
+use PhpOffice\PhpWord\SimpleType\Jc;
+
 /**
  * Paragraph style HTML writer
  *
@@ -39,7 +41,40 @@ public function write()
 
  // Alignment
  if ('' !== $style->getAlignment()) {
- $css['text-align'] = $style->getAlignment(); // todo: convert OpenXml to Html values
+ $textAlign = '';
+
+ switch ($style->getAlignment()) {
+ case Jc::START:
+ case Jc::NUM_TAB:
+ case Jc::LEFT:
+ $textAlign = 'left';
+ break;
+
+ case Jc::CENTER:
+ $textAlign = 'center';
+ break;
+
+ case Jc::END:
+ case Jc::MEDIUM_KASHIDA:
+ case Jc::HIGH_KASHIDA:
+ case Jc::LOW_KASHIDA:
+ case Jc::RIGHT:
+ $textAlign = 'right';
+ break;
+
+ case Jc::BOTH:
+ case Jc::DISTRIBUTE:
+ case Jc::THAI_DISTRIBUTE:
+ case Jc::JUSTIFY:
+ $textAlign = 'justify';
+ break;
+
+ default:
+ $textAlign = 'left';
+ break;
+ }
+
+ $css['text-align'] = $textAlign;
  }
 
  // Spacing